P0 App Documentation
Sign up for FreeSandbox
  • What Is P0?
    • πŸŽ›οΈIAM Dashboard
    • πŸ”ŽAccess Inventory
    • πŸͺ‘IAM Posture
    • ⏱️Just-In-Time Access
    • ♻️Service-Account Key Rotation
  • Getting Started
    • ⬇️Quick Start
    • 🎁Share P0 With Your Team
  • INVENTORY
    • πŸ—ΊοΈAccess Inventory
    • πŸ”¬Result Details
    • ❔Query Search
      • πŸ“–Search Reference
  • Posture
    • βš–οΈPosture Overview
  • Monitor Results
  • πŸ€”Finding Details
  • ORCHESTRATION
    • ⏰Just-in-time access
      • πŸ–οΈRequesting Access
        • πŸ‘‰For Another Party
      • 🏁Approving Access
        • Pre-approving Access
      • πŸ”€Request Routing
        • Google Cloud Filtering
        • AWS Filtering
  • Environments
    • ☁️Creating an Environment
    • πŸ““Environment Terminology
    • βš™οΈSettings
  • Integrations
    • πŸ“žNotifier integrations
      • πŸ’¬Slack
      • πŸ‘¬Microsoft Teams
      • πŸ“£Custom Notifier
    • πŸ”‘Resource integrations
      • ☁️Google Cloud
        • Requesting Access
        • Permissions Reference
          • Cloud Storage
          • Compute Engine
      • πŸ“¦AWS
        • Requesting Access
      • ☸️Kubernetes
        • Requesting Access
        • Advanced Requests
      • πŸ”‹PostgreSQL
        • Requesting Access
      • ❄️Snowflake
      • πŸ–₯️SSH
      • GitHub
        • Requesting Access
      • πŸ› οΈCustom Resource
    • πŸ‘₯Directory integrations
      • Microsoft Entra ID
        • Requesting Access
      • Google Workspace
      • Integrate P0 with Okta
    • βœ”οΈApproval integrations
      • πŸ””PagerDuty
    • πŸ”ŒSIEM Integrations
      • Splunk HEC Setup
  • P0 Management
    • 🎩Role-Based Access Control
Powered by GitBook
On this page
  • Request Access in Slack
  • Slack Bot Request Approval, Denial, and Errors
  • Slack Bot Request Approval
  • Slack Bot Request Denial
  • Request Access Error
  • How Kubernetes Access Works
  • Example
  1. Integrations
  2. Resource integrations
  3. Kubernetes

Requesting Access

How to request access to Kubernetes permissions, roles, and resources through the P0 bot

PreviousKubernetesNextAdvanced Requests

Last updated 2 months ago

This topic describes how to request access to a Kubernetes cluster using P0's Slack bot. It contains the following sections:

Request Access in Slack

To request access using the Slack bot:

  1. Open Slack and send /p0 request as a Slack message in any direct message (DM) or Slack channel. This opens the P0 request modal:

  2. In the popup, set Resources to Kubernetes, specify the cluster name, and populate the remaining fields with the specific access you want to request.

    • cluster-admin

    • admin

    • edit

    • view

By default, you can request all resources except system resources, such as objects in the kube-system namespace. The same applies to roles, however, you can request the following pre-defined Kubernetes cluster roles:

  1. Click Request to initiate the request process. The Slack bot will:

    • Generate a message confirming your request creation.

    • Send a message to the approvers in the Slack channel designated by your organization's admin.

    The following describes how P0 handles different scenarios:

    • If your request is approved, the Slack bot generates a message in the p0-requests Slack channel, indicating your access has been granted, and when it will expire.

    • If you are on-call (on a PagerDuty schedule) and your organization’s admin has enabled PagerDuty routing, your access may be automatically approved for one hour.

Slack Bot Request Approval, Denial, and Errors

Your request must be approved or denied by an authorized member of your organization. Once approved or denied, you will have options to change / update your request within the P0 Security Slack DM.

On occasion you may run into request errors, and the bot will notify you during your request.

To learn more see the following subsections:

Slack Bot Request Approval

After your request is approved, the Slack bot displays a Relinquish button within the P0 Security Slack DM, with a link to the original p0-requests channel. You can use this button to remove your access early, if you complete use prior to the expiration date.

This revokes the access, and you must make a new request if you need it again.

Once access expires (either through timing out, or via the Relinquish button), the Slack bot sends an expiration message from the P0 Security app Slack DM and the p0-requests channel.

You may re-request the same access using the Request Access button, if you need to extend your session.

Slack Bot Request Denial

If your request is denied, the Slack bot sends a message from the P0 Security Slack DM and the p0-requests channel, indicating the reason for denial.

Example from the P0 Security Slack DM:

Example from the p0-requests channel:

Request Access Error

If there is an error with your request, due to prerequisite permissions issues, the Slack bot sends a message from the P0 Security Slack DM and the p0-requests channel, indicating the reason for the error.

Example from the P0 Security Slack DM:

Example from the p0-requests channel:

How Kubernetes Access Works

When a request is approved, P0 creates a temporary cluster role from the role's rules that apply to the selected resource. This cluster role is then assigned to the requestor with one of the following:

  • Cluster role binding (if the resource is a cluster-level resource or the request applies to all namespaces)

  • Namespaced role binding (If the resource is in a specific namespace)

Example

The following screenshot shows how to request the view cluster role and Deployments / default / nginx-deployment resource with read access to the nginx-deployment in the default namespace.

Upon approval of this request P0, creates a cluster role and role binding.

The generated role contains all the rules from the view cluster role that apply to a deployment resource, restricted only to nginx-deployment:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
 creationTimestamp: "2077-08-19T22:01:29Z"
 name: p0-view-Deployments-VpL...
 resourceVersion: "425167"
 uid: 0592e...
rules:
- apiGroups: [apps]
 resourceNames: [nginx-deployment]
 resources: [deployments]
 verbs: [get, list, watch]
- apiGroups: [extensions]
 resourceNames: [nginx-deployment]
 resources: [deployments]
 verbs: [get, list, watch]

The generated namespaced role binding links the cluster role to the requestor john.smith@company.com:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
 creationTimestamp: "2077-08-19T22:01:29Z"
 name: p0-view-Deployments-VpL...-binding
 namespace: default
 resourceVersion: "425168"
 uid: c0a5ea1...
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: ClusterRole
 name: p0-view-Deployments-VpL...
subjects:
- apiGroup: rbac.authorization.k8s.io
 kind: User
 name: john.smith@company.com

If the Kubernetes cluster is hosted on AWS EKS, then P0 also modifies the aws-auth ConfigMap object to map the user ARN to the Kubernetes user john.smith@company.com.

apiVersion: v1
data:
 mapRoles: |
   - groups:
     - system:bootstrappers
     - system:nodes
     rolearn: arn:aws:iam::12...:role/eksNodeRole
     username: system:node:{{EC2PrivateDNSName}}
 mapUsers: |
   - userarn: arn:aws:iam::12...:user/john.smith@company.com
     username: john.smith@company.com
kind: ConfigMap
metadata:
 creationTimestamp: "2077-08-17T21:34:09Z"
 name: aws-auth
 namespace: kube-system
 resourceVersion: "425175"
 uid: b8f11...

πŸ”‘
☸️
Slack Bot Request Approval
Slack Bot Request Denial
Request Access Error
Request Access in Slack
Slack Bot Request Approval, Denial, and Errors
How Kubernetes Access Works